package com.sykj.common;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;

/**
 * AuthorizationFilter抽象类事项了javax.servlet.Filter接口，它是个过滤器。 
 * @author licj
 *
 */
public class RolesAuthorizationFilter extends AuthorizationFilter {

	@Override
	protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object object)
			throws Exception {
		
		Subject subject = getSubject(request, response);
		//角色数组强转
		String[] rolesArray = (String[]) object;
		//没有角色限制，有权限访问  
		if (rolesArray == null || rolesArray.length == 0) { 
            return true;  
        }
		//有角色限制，循环角色数组查看是登录用户是否有权限访问
		for (int i = 0; i < rolesArray.length; i++) {  
			//若当前用户是rolesArray中的任何一个，则有权限访问 
            if (subject.hasRole(rolesArray[i])) {  
                return true;  
            }  
        } 
		return false;
	}

}
